article banner
Article

Assurance mapping: clarifying sources of assurance

Eddie Best Eddie Best

With recent events bringing increasing complexity in businesses, audit committees, boards and executive management can be hindered by uncoordinated risk assurance. Eddie Best and Martin Gardner look at how assurance mapping can get everyone on the same page.

First-line management, second-line functions monitoring compliance and internal audit all gain comfort from evidence that business risk is being managed effectively. A key challenge in this is how to synthesise risk information and assurance in-line with the agreed corporate risk appetite. This clarity can be achieved with effective assurance mapping. 

Good assurance mapping provides a consolidated view of assurance against each key risk, process, or function. It enables the board and audit committee to:

  • identify and action gaps (in both quality and coverage)
  • increase efficiency by removing duplication and encouraging combined assurance
  • ensure public disclosures on internal control are supported by appropriate evidence

Effective assurance mapping can also prompt a valuable risk-management discussion, challenge and oversight from the audit committee, and provide a basis from which to plan future assurance activity.

There's also increased regulatory focus on assurance strategies. For example, the Brydon review recommends a three-year rolling audit and assurance policy for principal risks. This provides an ideal opportunity for internal audit to add value and play a role.

However, I've often seen assurance mapping that's either lacking detail or fails to deliver by being overly theoretical or engineered. In this case, this useful tool can actually add to the complexity they are intended to cut through.

So, what does good assurance mapping look like?

Begin with the end in mind

The first step is to provide a one-page summary of your assurance mapping to senior stakeholders. Draft the output template and begin stakeholder communications to define expectations.

This will ensure that results can be summarised in a way that allows stakeholders to use it as an input to decision making. This includes agreeing how much assurance mapping is expected against each risk, how you will represent opinions on both the quality and coverage of the assurance and how you will show the impact of the assessments made.

Keep assurance mapping simple and flag early wins

Be sure to agree realistic expectations and avoid getting lost in the detail. The most effective assurance mapping is iterative and evolves as understanding increases across the business.

Provide an initial high-level overview, highlighting potential gaps that need to be addressed by management, before performing a deeper analysis.

A phased approach to assurance mapping

Consider how assurance mapping can offer a deep dive on specific risk areas, such as compliance or data privacy, where assurance is generally more established or understood. Or use discrete business units as a pilot to road test and refine your approach.

Define your lines

There may not always be a clear delineation between first- and second-line activities. For example, finance, HR and IT blend operational management with compliance and monitoring roles.

Assess effectiveness

Consider the level of reliance that can be placed on each assurance provider and how you will assess their quality and coverage This is impacted by their remit and focus, skills and competence, resources, consistency of process, oversight and reporting, independence and objectivity.

Understand drivers for assurance

Clarify the reasons for existing assurance activities. Are they:

  • due to regulatory or compliance-led drivers?
  • based on customer requirements or expectations?
  • corporate policy or just learned behaviour?

This will help determine what assurance activities are designed for, and whether they can be changed.

Plan for difficulties with assurance mapping

Not all functions you have defined as second-line will agree or understand what that role involves.

We often have discussions with functions that agree they are responsible for setting policy, but not that they have a role to define processes and controls, or monitor compliance. We also see many second-line functions that focus on specific areas of the business, such as divisions or regions, with a much-looser understanding of areas outside the adopted boundary.

Internal audit must continue to drive high-quality challenge around the risk and assurance agenda. The discussions and actions that follow are essential to helping boards deliver better and more-efficient governance.

If you would like to discuss how you could improve your assurance mapping, or risk management frameworks generally, contact Eddie Best.

Our services

Internal audit services

Find out more